Skip to content

[backport core/1.39] fix: prevent XSS vulnerability in context menu labels#8924

Merged
pythongosssss merged 1 commit intocore/1.39from
backport-8887-to-core-1.39
Feb 17, 2026
Merged

[backport core/1.39] fix: prevent XSS vulnerability in context menu labels#8924
pythongosssss merged 1 commit intocore/1.39from
backport-8887-to-core-1.39

Conversation

@comfy-pr-bot
Copy link
Member

@comfy-pr-bot comfy-pr-bot commented Feb 16, 2026

Backport of #8887 to core/1.39

Automatically created by backport workflow.

┆Issue is synchronized with this Notion page by Unito

Replace innerHTML with textContent when setting context menu item labels
to prevent XSS attacks via malicious filenames. This fixes a security
vulnerability where filenames like "<img src=x onerror=alert()>" could
execute arbitrary JavaScript when displayed in dropdowns.

https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

## Summary

<!-- One sentence describing what changed and why. -->

## Changes

- **What**: <!-- Core functionality added/modified -->
- **Breaking**: <!-- Any breaking changes (if none, remove this line)
-->
- **Dependencies**: <!-- New dependencies (if none, remove this line)
-->

## Review Focus

<!-- Critical design decisions or edge cases that need attention -->

<!-- If this PR fixes an issue, uncomment and update the line below -->
<!-- Fixes #ISSUE_NUMBER -->

## Screenshots (if applicable)

<!-- Add screenshots or video recording to help explain your changes -->

┆Issue is synchronized with this [Notion
page](https://www.notion.so/PR-8887-fix-prevent-XSS-vulnerability-in-context-menu-labels-3086d73d365081ccbe3cdb35cd7e5cb1)
by [Unito](https://www.unito.io)

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions <github-actions@github.com>
@comfy-pr-bot comfy-pr-bot added the backport Backporting a PR onto a release candidate label Feb 16, 2026
@comfy-pr-bot comfy-pr-bot requested a review from a team as a code owner February 16, 2026 23:31
@comfy-pr-bot comfy-pr-bot added the backport Backporting a PR onto a release candidate label Feb 16, 2026
@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Feb 16, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 16, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch backport-8887-to-core-1.39

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

🎨 Storybook Build Status

Build completed successfully!

⏰ Completed at: 02/16/2026, 11:32:59 PM UTC

🔗 Links


🎉 Your Storybook is ready for review!

@github-actions
Copy link

github-actions bot commented Feb 16, 2026

Playwright: ✅ 523 passed, 0 failed · 2 flaky

📊 Browser Reports
  • chromium: View Report (✅ 511 / ❌ 0 / ⚠️ 2 / ⏭️ 8)
  • chromium-2x: View Report (✅ 2 / ❌ 0 / ⚠️ 0 / ⏭️ 0)
  • chromium-0.5x: View Report (✅ 1 / ❌ 0 / ⚠️ 0 / ⏭️ 0)
  • mobile-chrome: View Report (✅ 9 / ❌ 0 / ⚠️ 0 / ⏭️ 0)

@pythongosssss pythongosssss merged commit 725b45c into core/1.39 Feb 17, 2026
38 checks passed
@pythongosssss pythongosssss deleted the backport-8887-to-core-1.39 branch February 17, 2026 10:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport Backporting a PR onto a release candidate size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants